Court of Justice of the European Uinion
Index of the main cases:
2024
21/03/2024 | C-61/22 | Judgment of the Court in Case C-61/22 - Landeshauptstadt Wiesbaden - The mandatory insertion in identity cards of two fingerprints is compatible with the fundamental rights to respect for private life and to protection of personal data. However, since the regulation laying down that measure was adopted on an incorrect legal basis, the Court of Justice declares it invalid, while maintaining its effects until, at the latest, 31 December 2026 so that the EU legislature may adopt a new regulation on the correct legal basis. The Court finds that the obligation to insert two complete fingerprints into the storage medium of identity cards constitutes a limitation of the fundamental rights to respect for private life and to the protection of personal data, which are guaranteed by the Charter of Fundamental Rights of the European Union. However, such insertion is justified by the objectives of general interest of combatting the production of false identity cards and identity theft and to ensure the interoperability of verification systems. It is appropriate and necessary to those objectives and is not disproportionate when compared with them. |
14/03/2024 | C-46/23 | Judgment of the Court in Case C-46/23 - Újpesti Polgármesteri Hivatal Protection of personal data: the supervisory authority of a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject. Such erasure may cover data collected from that person and data originating from another source. The Hungarian court has sought an interpretation of the GDPR from the Court of Justice. In its judgment, the Court of Justice responds that the supervisory authority of a Member State may order of its own motion, namely even in the absence of a prior request made by the data subject to that effect, the erasure of unlawfully processed data if such a measure is necessary in order to fulfil its responsibility for ensuring that the GDPR is fully enforced. If that authority finds that the treatment of data does not comply with the GDPR, it must remedy the infringement found, even without a prior request from the data subject. A requirement that there be such a request would mean that the controller, where no request is made, could retain the data at issue and continue to process them unlawfully. |
07/03/2024 | C-604/22 | Judgment of the Court in Case C-604/22 - IAB Europe - Auctioning of personal data for advertising purposes: the Court of Justice clarifies the rules under the GDPR When a user consults a website or application containing advertising space, companies, brokers and advertising platforms, which represent thousands of advertisers, can bid in real time, behind the scenes, to acquire that advertising space in order to display advertisements there which are tailored to the user’s profile (Real Time Bidding). In its judgment, the Court of Justice confirms that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR. Where the information contained in a TC String is associated with an identifier, such as, inter alia, the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her. |
05/03/2024 | C-755/21 | Appeal – Law enforcement cooperation – Regulation (EU) 2016/794 – Article 49(3) and Article 50 – Protection of personal data – Unlawful data processing – Criminal proceedings brought in Slovakia against the appellant – Expert’s report drawn up by the European Union Agency for Law Enforcement Cooperation (Europol) for the purposes of the investigation – Retrieval of data from a mobile phone and a USB storage device belonging to the appellant – Disclosure of those data – Non-material damage – Actions for damages – Nature of non-contractual liability) - Europol and the Member State in which damage has occurred arising from unlawful data processing carried out in the context of cooperation between Europol and that Member State are to be jointly and severally liable for that damage |
30/01/2024 | C-118/22 | Request for a preliminary ruling – Directive (EU) 2016/680 - Article 4(1)(c) and (e), read in conjunction with Articles 5 and 10, Article 13(2)(b) and Article 16(2) and (3) thereof, and in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union,must be interpreted as precluding national legislation which provides for the storage, by police authorities, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, of personal data, including biometric and genetic data, concerning persons who have been convicted by final judgment of an intentional criminal offence subject to public prosecution, until the death of the data subject, even in the event of his or her legal rehabilitation, without imposing on the data controller the obligation to review periodically whether that storage is still necessary, nor granting that data subject the right to have those data erased, where their storage is no longer necessary for the purposes for which they are processed or, where appropriate, to have the processing of those data restricted |
25/01/2024 | C-687/21 | Reference for a preliminary ruling – Regulation (EU) 2016/679 - 1. Articles 5, 24, 32 and 82, read together, must be interpreted as meaning that in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32; 2. Article 82(1) must be interpreted as meaning that the right to compensation laid down in that provision, in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a punitive function; 3. Article 82 must be interpreted as meaning that that article does not require that the severity of the infringement made by the controller be taken into consideration for the purposes of compensation under that provision; 4. Article 82(1) must be interpreted as meaning that the person seeking compensation by way of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage; 5. Article 82(1 must be interpreted as meaning that if a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future |
2023
23/11/2023 | C-710/23 | Request for a preliminary ruling - 1. The extent data related to legal persons falls within the scope of the GDPR, and 2. Whether such provision of information can be made subject to a condition that goes beyond the scope of the GDPR |
14/11/2023 | C-683/23 | Request for a preliminary ruling - Handover of personal data not based on the data subject’s consent or on EU or Member State law |
7/11/2023 | C-655/23 | Request for a preliminary ruling - Whether a data subject can exercise its rights to obtain a prohibitory injunction |
2/11/2023 | C-654/23 | Request for a preliminary ruling - Questions on certain legal aspects of information society services, in particular electronic commerce |
26/10/2023 | C-307/22 | Right of access by the data subject |
24/10/2023 | C-638/23 | Request for a preliminary ruling - Questions about the controller |
07/09/2023 | C-162/22 | Data retained by providers of electronic communications services |
04/07/2023 | C‑252/21 | Social networks – Abuse of a dominant position by the operator of such a network |
22/06/2023 | C‑579/21 | Right of access by the data subject |
04/05/2023 | C‑300/21 | Mere infringement of the GDPR does not give rise to a right to compensation |
04/05/2023 | C-487/21 | Right of access by the data subject |
07/04/2023 | T-183/23 | Request for annulment of the EDPB’s Binding Decision 3/2022 about Meta’s Facebook service |
26/04/2023 | T-557/20 | Right of access by the data subject |
12/01/2023 | C-154/21 | Every person has the right to know to whom his or her personal data have been disclosed |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.